[Snort-users] reputation preprocessor and IDS

waldo kitty wkitty42 at ...14940...
Tue Jun 4 21:07:06 EDT 2013


On 6/4/2013 16:17, Russ Combs wrote:
> On Tue, Jun 4, 2013 at 4:04 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> i'll have to dig and see if there is/was a bug that was fixed from 2.9.4.1
> to the latest snort versions... i whitelisted a CIDR block and they still
> generate alerts... specifically, we saw alerts on 129:20 when snort was
> reloading after setting the CIDR block in the whitelist file and bouncing
> snort with a complete exit and startup... we've also seen 128:4 when sshing
> into that sensor on a non-standard port but we DO have that non-standard port
> listed in the ssh config section of snort.conf... these alerts happen for
> only a short time and then snort seems to settle down and stop issuing them
> even though those same connections are still active or being terminated and
> restarted again...
>
> Do you have stream5_tcp: require_3whs set?  That might help reach steady
> state sooner.

yes, that has been part of our config files since it was introduced...

> i've just tested again an hour after the above alerts were logged and am
> seeing the same alerts as noted above... the traffic is very light compared
> to what many systems see... it is only a 100M internal LAN... there /may/ be
> some swapping going on on that test sensor... i'm seeing 7M of swap space
> currently used but i really don't think that that is getting in the way
> here...
>
> Do you have reputation: white trust set?  Default is to unblack (not trust).

ahhh... it is at the default... whitelist is the only one with any entries and 
the settings are the defaults in the distributed snort.conf... i will have to 
check that out...

the term 'unblack' seemed to mean 'treat the entry as not black if it is listed 
in the blacklist'... in other words, it is 'white' and therefore trusted... the 
documentation could use some work in this area ;)

> Also, you may need to set reputation: scan_local if the alerts are on local
> addresses.

well, it is a local LAN... snort is looking only at the traffic outside of its 
machine... not on its interior protected LAN... the addresses are RFC1918 but 
not within the netblock protected by snort...

eg: 192.168.100.0/24 -> sensor -> 192.168.200.0/24

the sensor's external address is 192.168.100.23/255.255.255.0 and its internal 
address is 192.168.200.1/255.255.255.0... yes, this sensor is a 
firewall/NAT_router device...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list